Re: Simple to exploit SQL Injection ?

[Yousef Syed <yousef.syed () gmail com>]

Hi Jason,
Try the following Password:
' OR 1=1 --

That should give the following SQL:
'SELECT *
FROM users
WHERE username = 'xyz'
AND password = '' OR 1=1 -- '

Since 1 always evaluates to 1, the rest of the SQL will be ignored and
you should get the result you were expecting. Using the "--" comment,
will stop anything else after this from being evaluated. That should
stop you getting any syntax errors.

ys

--
Yousef Syed
"One senior official said the consultancy "doesn't have the greatest
of reputations among civil servants. They come and state the bleeding
obvious using Powerpoint"."

On 28/11/05, Jason binger <cisspstudy () yahoo com> wrote:
> I am reviewing a .Net web application. When entering
> xyz for a username and ' for a password into a form I
> receive the following stack trace (extract):
>
> System.Exception: Can't Load DataReader using SQL
> string: 'SELECT * FROM users WHERE username = 'xyz'
> AND password = '''' -- Unclosed quotation mark before
> the character string '''. Line 1: Incorrect syntax
> near '''.
>
> Now I would have thought this would be easy to
> exploit, but I can't bypass the logon page. xyz is a
> valid username. Any ideas?
>
> Cheers
>
>
>
>
> __________________________________
> Yahoo! Mail - PC Magazine Editors' Choice 2005
> http://mail.yahoo.com